Security News > 2021 > August > Black Hat: Microsoft’s Patch for Windows Hello Bypass Bug is Faulty, Researchers Say

LAS VEGAS - Microsoft Windows 10 biometric user authentication systems Windows Hello can be bypassed, using a single infrared image of a user's face planted on a tampered clone of an external USB-based webcam.

According to research disclosed here at Black Hat USA 2021, the flaw still allows attackers - in some scenarios - to bypass Windows Hello and Windows Hello for Business, used for single-sign-on access to a user's computer and a host of Windows services and associated data.

Giving a nod to previous research on Windows ecosystem's tokens and encryption keys by Benjamin Delpy and Dirk-Jan Mollema, Tsarfati said his hack also sidesteps the need to acquire Azure AD Primary Refresh Tokens used for single sign-on access to Windows.

Using tools to capture the URB packets sent and received by the targeted PC to communicate and validate the Windows Hello authentication, researchers were able to clone a USB camera on a NXP circuit board with IR and RGB sensors.

"Microsoft did release a fix that restricts the number of camera brands it supports with Windows Hello and restricts external cameras, unless a user permits," he said.

Microsoft responded to CyberArk research, explaining that its July Patch Tuesday mitigation includes an allow list of USB devices that are trusted to be used in the Windows Hello authentication phase.

News URL

https://threatpost.com/microsofts-patch-windows-hello-faulty/168392/